i2psnark: Fix double-escaping of '&' (ticket #2127)

2018-01-10 15:29:59 +00:00
parent d55a0c9c39
commit 1c3fc2bbdb
1 changed files with 19 additions and 1 deletions
--- a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
+++ b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
@ -2784,7 +2784,7 @@ public class I2PSnarkServlet extends BasicServlet {
        String link = urlEncode(s);
        String display;
        if (s.length() <= max)
-            display = DataHelper.escapeHTML(link);
+            display = escapeHTML2(link);
        else
            display = DataHelper.escapeHTML(s.substring(0, max)) + "&hellip;";
        buf.append("<a href=\"").append(link).append("\">").append(display).append("</a>");
@ -2801,6 +2801,24 @@ public class I2PSnarkServlet extends BasicServlet {
                .replace("[", "%5B").replace("]", "%5D");
    }

+    private static final String escapeChars[] = {"\"", "<", ">", "'"};
+    private static final String escapeCodes[] = {"&quot;", "&lt;", "&gt;", "&apos;"};
+
+    /**
+     * Modded from DataHelper.
+     * Does not escape ampersand. String must already have escaped ampersand.
+     * @param unescaped the unescaped string, non-null
+     * @return the escaped string
+     * @since 0.9.33
+     */
+    private static String escapeHTML2(String unescaped) {
+        String escaped = unescaped;
+        for (int i = 0; i < escapeChars.length; i++) {
+            escaped = escaped.replace(escapeChars[i], escapeCodes[i]);
+        }
+        return escaped;
+    }
+
    private static final String DOCTYPE = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">\n";
    private static final String HEADER_A = "<link href=\"";
    private static final String HEADER_B = "snark.css?" + CoreVersion.VERSION + "\" rel=\"stylesheet\" type=\"text/css\" >";